Today the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm. A total of $800,000 were levied against these firms.

In summary, the firms named in the alert published by the SEC were fined due to one or more of the following reasons:

  1. Some of the firms failed to employ the practices they outlined in their policies and procedures.
  2. Some of the firms sent breach notifications to clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
  3. One of the firms waited three years since the original breach to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives.

In dissecting this a bit further and applying our knowledge of what we see in the industry, this is what really happened:

  1. Some of the firms adopted policies that they could never comply with, or never bothered updating template policies that they were provided with.
  2. Some of the firms were not familiar with what their actual breach notification responsibilities were, and when they found out, they had to make it seem like they were complying.
  3. One of the firms underestimated how seriously cybersecurity issues can impact their business.

So, what is the lesson here?

  1. Make sure policies and procedures are rightsized for the firm. If you state something in your policy, make sure you can comply with it, and as for procedures, make sure you can prove it.
  2. Breach notification laws dictate who must comply, definitions of personal information, what constitutes a breach, requirements for notice, and exemptions. All 50 states have enacted some legislation. This may also be required on the federal level and outside of the U.S. (e.g., GDPR)
  3. Do not wait until it is too late, start building your cyber program, continue enhancing, testing, and measuring your security posture to ensure you are as secure as you can be.

How can we help?

We understand your business, the need to prove compliance and maintain a high-level of security. Elteni helps you establish a right-sized cybersecurity program with policies and procedures that your firm can comply with.